Security Considerations¶

The following modules have specific security considerations:

base64: base64 security considerations in RFC 4648
cgi: CGI security considerations
hashlib: all constructors take a “usedforsecurity” keyword-only argument disabling known insecure and blocked algorithms
http.server is not suitable for production use, only implementing basic security checks. See the security considerations.
logging: Logging configuration uses eval()
multiprocessing: Connection.recv() uses pickle
pickle: Restricting globals in pickle
random shouldn’t be used for security purposes, use secrets instead
shelve: shelve is based on pickle and thus unsuitable for dealing with untrusted sources
ssl: SSL/TLS security considerations
subprocess: Subprocess security considerations
tempfile: mktemp is deprecated due to vulnerability to race conditions
xml: XML vulnerabilities
zipfile: maliciously prepared .zip files can cause disk volume exhaustion

© Copyright 2001-2023, Python Software Foundation.
This page is licensed under the Python Software Foundation License Version 2.
Examples, recipes, and other code in the documentation are additionally licensed under the Zero Clause BSD License.
See History and License for more information.

The Python Software Foundation is a non-profit corporation. Please donate.

Last updated on Nov 14, 2023. Found a bug?
Created using Sphinx 3.4.3.